Pop quiz: You see two different smart thermostats for sale, one from a well-known brand and the other, cheaper one is from a no-name vendor. You’re trying to make a decision about which product to buy and you might be wondering, “Which one is more likely to be hacked?”
The answer: You have no way of knowing. That’s because today there is effectively no transparency regarding a product’s security level to the end user. UL, however, is aiming to change that, with its new IoT Security Rating, a solution that provides a UL Verified Mark security label to IoT consumer products.
FierceElectronics sat down with IoT Security Solution Leader, Laurens van Oijen, to gain insight into how the solution works and when consumers can expect to see the security label popping up on IoT consumer products.
FE: Tell me about UL’s IoT Security Rating, which UL introduced in May 2019.
Van Oijen: UL’s IoT Security Rating creates a security baseline for IoT consumer products through a comprehensive evaluation process that assesses security aspects of a device against known vulnerabilities and common attack methods. It also ensures minimum security capabilities are met, as articulated by ETSI TS 103 645 and other industry standards.
In short, it’s a security verification and labeling solution for IoT products—meaning basically anything connected to a network-- that categorizes products according to an ascending five-level scale: Bronze, Silver, Gold, Platinum and Diamond. Verified products receive a differentiated UL Verified Mark security label—specifying the achieved security level—which is evaluated by UL on an ongoing basis. And I should note it is available worldwide.
The idea of creating a security rating for IoT devices actually came up at UL as far back as 2015, but we did not pursue the idea because we felt industry wasn’t ready at the time. But since then, we’ve been keeping tabs on industry developments, and a little over two years ago a team was formed to turn that idea into a reality. My role as solution leader has been to coordinate the different activities required to design the solution with our technical and business development teams, and then to validate the concept with device makers and retailers.
FE: What is the benefit to device makers in securing the UL rating?
Van Oijen: I would say the most important benefit is that the UL rating enables device makers to be more transparent to the end user. When evaluating competing products, consumers typically want to be able to tell how they differ in features, functionality, and of course price. But over the past few years, security and privacy are becoming more important to consumers. In fact, they are on their way to becoming one of the top influencing factors for making purchasing decisions, and I think that is because so many hacks and security breaches have made the news.
End users are demanding to know about the security of the product they intend to buy, which in turn means that manufacturers need a way to convey a product’s security capabilities to the end customer. When applied to a product, UL’s IoT Security Rating demonstrates that it uses industry best practices for IoT cybersecurity and protection of consumer data.
FE: Are there alternative security ratings or markings for consumer IoT products today?
Van Oijen: The concept of a security rating is at a really early stage today, and it is sort of a fragmented marketplace that isn’t regulated the same way as standards are. There are a number of other solutions out there, but to our knowledge UL is the first to introduce the concept of multiple levels of security ratings as opposed to a singular mark.
FE: How does the UL IoT Security Rating solution work in practice?
Van Oijen: It starts with a technical requirements framework, a document called the UL MCV 1376, which is available on the UL website. The document outlines how the five levels of the rating system are designed and which security requirements are part of that rating level.
I would advise as a first step that a device maker take a look at that framework to gauge how their product would perform. Ultimately, every company should want to get to the highest rating possible, but the diamond level is quite challenging to reach. I think today the choice comes down to how much security assurance a particular devices needs [those directly accessible from the Internet needing the most], and what makes sense from the cost and the return on that investment.
UL would then perform an analysis of that product to ensure it meets the requirements of the specified security level. One of the other things that we do when we issue the actual rating is provide a QR code to the end customer, which takes them to a webpage that in layman’s terms describes the rating system and what each of the levels means.
FE: If I were to see a smart thermostat made by a “no-name” brand at 30% of the cost of a name brand, could I almost assume security is one of the areas that the manufacturer would have chosen to cut costs?
Van Oijen: I am inclined to say yes, but the truth is we just don’t know especially if neither product carries a security label. Obviously, building in security takes more upfront development. You can also enhance a product’s security by adding third party hardware and software, so technically this could all result in a higher retail price. But you are touching on the exact problem that we are trying to solve: The level of product security today is simply not available at the point of purchase.
FE: UL rolled this out in 2019. What has been the adoption rate so far?
Van Oijen: We announced the solution in May 2019, and this year we started rating products. The first manufacturer that we announced was GE Appliances, which has a gold level for their entire portfolio of smart home appliances. The mark should now be appearing on products in stores.
The types of products we have rated are primarily consumer IoT—mainly appliance products--and a number of commercial products. We have worked with several dozen manufacturers, providing ratings for literally hundreds of products. Products in the pipeline today range from wearables to lighting devices and robots. From a geographic and company size perspective, the interest is coming from a pretty diverse set of manufacturers.
FE: Recently after reverse-engineering a dozen smart home devices, the global security lab RIscure found security shortcomings in all of them. Why is it that makers of these devices do such a poor job when it comes to security?
Van Oijen: I don’t believe that any company intentionally sets out to build a product that is not secure. We think that device security is more of a commercial issue than a technical problem. From a design standpoint, there is a wealth of educational resources, IoT standards like NIST IR 8259A, and plenty of service providers that can teach companies how to secure their IoT device.
The issue is that product security today is still seen as a cost instead of a benefit. We believe that device makers are insufficiently incentivized from a commercial standpoint when they make an investment in security, and that it is not viewed as a competitive advantage today.
Transparency around a specific product attribute can change that dynamic. A great example is the energy labels that starting popping up on products about ten years ago. Basically, these labels made a product’s energy efficiency transparent to the end user. What happened is that when the end users expressed that they valued buying more energy-efficient products, manufacturers in turn invested more to demonstrate the efficiency of their products. Today, the motivation in that space has shifted from trying to stay ahead of the competition to not falling behind. Ultimately, the effect of these ratings is that consumers are more likely to purchase the product.
We’re hoping to instigate a similar trend with our IoT Security Rating and encourage manufacturers to make their products more secure.
In this case, our rating is voluntary not mandatory—it’s a carrot, not a stick. That changes as soon as regulations come into play. Referring back to the energy label, once it started to be adopted by industry, the government decided to enforce it. I don’t know if we can expect the same thing to happen here. But where we know regulators are working on security legislation, we want to tie our solution to those regulations. Whatever form it ultimately takes, I do believe that in the future greater product security and transparency around that security will happen.
FE: How do you think the new California and Oregon laws, which hold device makers responsible for the inclusion of reasonable security features will impact design practices and are you aware of any cases that have been brought as a result? Could states mandate your designation on IoT products sold or made there?
Van Oijen: We are happy that these regulations have been introduced, as they represent a hallmark in the history of IoT security. But they do have their shortcomings, and there is room for improvement. The definition of “reasonable security” features is considered vague, but that is not uncommon when it comes to security-related regulations, which today are typically open to multiple ways of interpretation.
At the same time, both state laws call out having unique passwords for a device as a security measure. This is where at least we would bring in additional rigor, such as secure communications with a remote system, or routine updates after purchase when a vulnerability is discovered. I think the benefits of these regulations is that device makers are stimulated to perform continued security due diligence on their products. Having their products regularly tested and verified will help them to meet those objectives. And of course by working with us, we ensure that connected devices from a company’s portfolio are compliant with the California and Oregon regulations and any other state that might issue enact them.
FE: How are you getting the word out?
Van Oijen: It all starts with awareness, and that is one of the things that we are actively focusing on. We are collaborating with the vendors that we have rated, as well as our exploring partnerships with retailers and other industry organizations that have more direct contact with the end users.
FE: What is the role of retailers here, and is their willingness to carry a brand and offer things like warranties a de facto endorsement that it meets cybersecurity design standards? Does UL work with specific retailers and if so, how?
Van Oijen: We definitely believe that anyone who owns or controls the marketplace can have a great impact on security requirements in general. We also think that consumer representative organizations should call on retailers to take a more proactive stance on IoT security and become more demanding of their vendors. In fact, we’ve received feedback from device makers that if a retailer should back security ratings, that would help them decide to get it.